On 1/9/2014 10:28 AM, Paolo Andretta wrote: > > I want to block all UDP traffic from servers in natted DMZ. Except DNS > traffic that I think is the only needed. > > My solution is: > > > DNS(ACCEPT) dmz:192.168.110.0/24 all > DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp > > Where 8.8.8.8 and 208.67.222.222 are the DNS in /etc/resolv.conf > > > I still have slow connections and name resolution. > > Is there a better solution?
To start with, I would add logging to the DROP rule so you can see what that rule is blocking; that might give you a clue... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
